agenttesla | e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e

Analysis

max time kernel
103s
max time network
107s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sales confirmation-a13802KA.docx
Size

10KB
MD5

aa17844cf349edcb703a84874bf9b51f
SHA1

9c894354e8aac4c58f111c7405a3f92d93d3da4f
SHA256

e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e
SHA512

a3ac31637f009b6a717999a60dcc2c5ff032db791ef5c808654b728a7746f6353f3976ab44cb5bbc97e99e1ac87f57af8433076c23dc4c595d69768bcf2f9424
SSDEEP

192:ScIMmtPGT7G/bIwXOVOtlrV5SEzBC4vNq6sM63kp:SPXuT+xXOVOTbhlqHI

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.strictfacilityservices.com
Port:
587
Username:
accounts@strictfacilityservices.com
Password:
SFS!@#321
Email To:
zamanic62@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1692 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1692	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221468051/r/######################################.doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

880 vbc.exe
2036 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
880	vbc.exe
2036	vbc.exe

pid	process
1692	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 880 set thread context of 2036 880 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE

description	pid	process	target process
PID 880 set thread context of 2036	880	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
852	schtasks.exe

pid	process
1692	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1620 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exepowershell.exe

pid process

880 vbc.exe
880 vbc.exe
880 vbc.exe
1460 powershell.exe

pid	process
1620	WINWORD.EXE

pid	process
880	vbc.exe
880	vbc.exe
880	vbc.exe
1460	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	880	vbc.exe
Token: SeDebugPrivilege	2036	vbc.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeShutdownPrivilege	1620	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1620 WINWORD.EXE
1620 WINWORD.EXE

pid	process
1620	WINWORD.EXE
1620	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1692 wrote to memory of 880	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 880	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 880	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 880	1692	EQNEDT32.EXE	vbc.exe
PID 1620 wrote to memory of 1456	1620	WINWORD.EXE	splwow64.exe
PID 1620 wrote to memory of 1456	1620	WINWORD.EXE	splwow64.exe
PID 1620 wrote to memory of 1456	1620	WINWORD.EXE	splwow64.exe
PID 1620 wrote to memory of 1456	1620	WINWORD.EXE	splwow64.exe
PID 880 wrote to memory of 1460	880	vbc.exe	powershell.exe
PID 880 wrote to memory of 1460	880	vbc.exe	powershell.exe
PID 880 wrote to memory of 1460	880	vbc.exe	powershell.exe
PID 880 wrote to memory of 1460	880	vbc.exe	powershell.exe
PID 880 wrote to memory of 852	880	vbc.exe	schtasks.exe
PID 880 wrote to memory of 852	880	vbc.exe	schtasks.exe
PID 880 wrote to memory of 852	880	vbc.exe	schtasks.exe
PID 880 wrote to memory of 852	880	vbc.exe	schtasks.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe
PID 880 wrote to memory of 2036	880	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sales confirmation-a13802KA.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1456

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JNECrDxSdm.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JNECrDxSdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63A4.tmp"
3⤵
- Creates scheduled task(s)
PID:852

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F70C9D67-3631-4E83-94C8-470F3EECD442}.FSD
Filesize
128KB

MD5
7c9103dc395b5abc6a4f833bd91c12f9

SHA1
9ec719efeb0e777f6d8aef92cce25ed9b78a981c

SHA256
4fca3e4da47e2872a3f192022b99ba0fe9a81e0b471ab84746e5a5e657114bdb

SHA512
f231d0a2e6434d185ff7653d16911eccba29b74c58f50dffe2e86641a59f102c9b4108e98553d2ab0c0337d6dc78ff2f2bc60e1e9f4b50bef21521cda261dfba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
25da5fa2eb8fb2efdb7ebc40b1ef3967

SHA1
b62a437c76ca4c95e5b2742f81260e6e921a39c8

SHA256
7812b55aa5988abc84a11ae521bbf673d3332f8e5d3660ed46c3bf2ae4f83e33

SHA512
e74d077dd63c631775c21d275a4ebade7103288bbf9dd56a4de17b3d90e17ca0ba562c3dd80388c9ff16038590f6d470acd0dc8d95456b7e748c84aba8cd068f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\######################################[1].doc
Filesize
22KB

MD5
e585de882debb5a6570a92cd36041dfd

SHA1
6fb8c051c8dcd87c380a60a18d81793a8aed4e10

SHA256
eadde3baffcc9c4bc8416713367eba8c58b38b271c07f35ac68b1b7f3927965a

SHA512
e2eb8afd4c889f6b5c97620629483b02970d8d365bb319acfe36970e7f6c28b80c263a76a3c7444e6c1a6fb24ad089c76261ffba940a647148c53ddaae77e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp63A4.tmp
Filesize
1KB

MD5
971f2d66f102f09438449331f0ce1150

SHA1
4320dec878f6077ee72e55b07c0825de35e6109b

SHA256
e3a13fb8190ba7cdd58175d4607aab60159f4cd563b5fe898b805413746b73ed

SHA512
dd13a1bd153d013d6435d18365a6e07d906f1eca76578a7d5bd5212dd7589641b2d70ce445ac449d83deea339c4dd2c2c4e29e710ff8012065bbb187d02b6f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60558A68-9F41-4DFE-8993-87CE7F975E9F}
Filesize
128KB

MD5
aa098ddd7c35fdf047fd1c004a037dd8

SHA1
45924a171af47b17e079fbb93c7a452474bfefc9

SHA256
d4a52dff05ed493a1b6c1fb1d021a16956a53ba49d7bb675fe7bc56dba6ad2e0

SHA512
fb954f24619648331871ff4c2edd818adb9ed78f318895bea63ba4b501077af319e2b50921ff23cdf909e423bc4bee5f36ace5ea3bc449901b1bf942bcdb8cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
bf98a08c1ac1a4c3a6d48ffc87c51287

SHA1
b9fb718ac1d73a1b8f1060a0a8853bdbb9e105e6

SHA256
1e4c637ea1b5fc08f1fb0483890337e046c546cab358f38e6ca0f8b5816adfd6

SHA512
9e68ee75af04b74e4ee78b7c689b1078a793ca3bef22783b9b18df1455f7c697e6ac097b766fc58c8d48bab2f86e8e1ab70eac5308e7780d078d136ae556c49d

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
memory/880-152-0x0000000006240000-0x00000000062AA000-memory.dmp

Filesize
424KB

Download
memory/880-142-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/880-151-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/880-141-0x0000000000A70000-0x0000000000B0A000-memory.dmp

Filesize
616KB

Download
memory/880-143-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/880-160-0x0000000004D00000-0x0000000004D32000-memory.dmp

Filesize
200KB

Download
memory/880-150-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1460-169-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/1460-174-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/1620-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1620-201-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-170-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-173-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download